Overview

overview

8

Static

static

8

07-30 B �... B.exe

windows7-x64

8

07-30 B �... B.exe

windows10-2004-x64

8

07-30 B �...ne.exe

windows7-x64

8

07-30 B �...ne.exe

windows10-2004-x64

8

07-30 B �...��.bat

windows7-x64

8

07-30 B �...��.bat

windows10-2004-x64

8

@创e下�...��.url

windows7-x64

1

@创e下�...��.url

windows10-2004-x64

1

安卓手�...��.url

windows7-x64

1

安卓手�...��.url

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07-30 B 周年稳定版)/Theplane.exe

  • Size

    2.3MB

  • MD5

    1ec395eef7d5cc1833c121532f0e232b

  • SHA1

    18d326d98189b324bf86b0683d54a3c3100d0e48

  • SHA256

    acf1ac838ea940bccc84277a76fd8dbecc0e21bcae5140fe1782e11be2165f24

  • SHA512

    6621f98ca4ff338027fa9dd0cf4227fcafe84f0e2b3adbea35abb896fcfa4054b83e1273e603d31ed979dfb4837a5b8adfcc84b8326ec70d502d85a3673183ad

  • SSDEEP

    24576:FQLf4Xvi7/RS7gndLR3IKOCKfJunXKo9yHSAzIZq8y4D3plQ21myoSlxRgVec/MT:FeXsqxLfQ2Ayokgf8veJmb

Score
8/10
upx

Malware Config

Signatures

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07-30 B 周年稳定版)\Theplane.exe
    "C:\Users\Admin\AppData\Local\Temp\07-30 B 周年稳定版)\Theplane.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dnffeiji.com/dc.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B0V8N8R7.txt
    Filesize

    601B

    MD5

    db00269a3070f8e2523546dcb7dd3b67

    SHA1

    469f22d14657e6392506dba04f95222bc8fde8c7

    SHA256

    8027a467748d3c9acdb4cb5779d054b0920558ca3b487e4142ef21943c5626a6

    SHA512

    acdbf82ca4fafde47850c9e415a980f7ffe76ced286f033ffa122f7c11fcb7d0442db7090ba085f37b9637f876a1c384e51a5db2bd6eabe22ad6288859b8cef8

    Download Submit

  • memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2020-55-0x0000000002280000-0x00000000022F2000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2020-56-0x0000000002280000-0x00000000022F2000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2020-58-0x0000000002280000-0x00000000022F2000-memory.dmp

    Filesize

    456KB

    Download